Closed jmeldrum76 closed 4 years ago
anandkunal
commented
4 years ago Hi @jmeldrum76 - the variable is computed via the provider, which means that you should be able to use it after terraform apply. What value are you seeing when accessing the property in your Terraform configuration file post apply?
anandkunal
commented
4 years ago Hi @jmeldrum76 - just confirmed things are working over here as expected. Can you do me a favor and share your Terraform file? After you run apply, can you run a terraform show and share the results here?
joeymoore
commented
4 years ago @jmeldrum76 Below is the TF snippet that I use to accomplish the route53 record add.
resource "aws_route53_record" "superveda_record" { depends_on = ["incapsula_site.superveda"] name = "stage-superveda.${data.aws_route53_zone.zone.name}" type = "CNAME" zone_id = "${data.aws_route53_zone.zone.zone_id}" ttl = "60" records = ["${incapsula_site.superveda.dns_cname_record_value}"] }
jmeldrum76
commented
4 years ago Hi Joe,
I am finally getting back into this project. I am needing to create about 150 sites using Terraform but as mentioned above, I can’t seem to get the cname record during the site creation. In tried your snippet of code and get an error “Null value found in list”.
Could it be a problem with version 0.12.18 of terraform?
Here are the versions that I am running:
venafilab@DESKTOP-0F6RKJH:~/Terraform/Demo Env/Incapsula$ terraform version
Terraform v0.12.18
provider.aws v2.50.0
provider.incapsula v2.1.0
provider.venafi v0.9.0
Here is my terraform show:
===================================================================
venafilab@DESKTOP-0F6RKJH:~/Terraform/Demo Env/Incapsula$ terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
Terraform will perform the following actions:
resource "incapsula_custom_certificate" "custom-certificate" {
certificate = (known after apply)
id = (known after apply)
passphrase = (sensitive value)
private_key = (sensitive value)
site_id = (known after apply)
}
resource "incapsula_site" "example-site" {
dns_a_record_name = (known after apply)
dns_a_record_value = (known after apply)
dns_cname_record_name = (known after apply)
dns_cname_record_value = (known after apply)
domain = "incapsulatest4.se.venafi.com"
id = (known after apply)
ref_id = "12345"
site_creation_date = (known after apply)
}
resource "venafi_certificate" "webserver" {
algorithm = "RSA"
certificate = (known after apply)
certificate_dn = (known after apply)
chain = (known after apply)
common_name = "incapsulatest4.se.venafi.com"
csr_pem = (known after apply)
ecdsa_curve = "P521"
expiration_window = 168
id = (known after apply)
private_key_pem = (known after apply)
rsa_bits = 2048
san_dns = [
"san_example.se.venafi.com",
"anothersan_example.se.venafi.com",
]
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
venafi_certificate.webserver: Creating...
incapsula_site.example-site: Creating...
venafi_certificate.webserver: Creation complete after 4s [id=\VED\Policy\Demo\APIs\HashiCorp Terraform\incapsulatest4.se.venafi.com]
incapsula_site.example-site: Creation complete after 5s [id=68207620]
incapsula_custom_certificate.custom-certificate: Creating...
incapsula_custom_certificate.custom-certificate: Creation complete after 1s [id=12345]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
Outputs:
Incapsula_Domain = incapsulatest4.se.venafi.com
Incapsula_Site_ID = 68207620
venafilab@DESKTOP-0F6RKJH:~/Terraform/Demo Env/Incapsula$ terraform show >output.txt
venafilab@DESKTOP-0F6RKJH:~/Terraform/Demo Env/Incapsula$ terraform show >>output2.txt
venafilab@DESKTOP-0F6RKJH:~/Terraform/Demo Env/Incapsula$ terraform show
resource "incapsula_custom_certificate" "custom-certificate" {
certificate = <<~EOT
-----BEGIN CERTIFICATE-----
MIIF1zCCBL+gAwIBAgITbgAAAJKHRKbYCs7c4gAAAAAAkjANBgkqhkiG9w0BAQsF
ADBHMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJVmVuYWZp
bGFiMRUwEwYDVQQDEwxWZW5hZmlMYWItQ0EwHhcNMjAwMjI1MjM0ODUxWhcNMjEw
MjI0MjM0ODUxWjCBizELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQH
Ew5TYWx0IExha2UgQ2l0eTEVMBMGA1UEChMMVmVuYWZpLCBJbmMuMRgwFgYDVQQL
Ew9BdXRvbWF0aW9uIFRlYW0xJTAjBgNVBAMTHGluY2Fwc3VsYXRlc3Q0LnNlLnZl
bmFmaS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcrTUdT3OK
DhMQDWzfhkwhBen2//QgKZw93Lks6iKGN5gyDV53c3KGt0+OPVHUgIDnAhx44Xj4
EaHMnXbZQWcj6VefGbGjEiKnoEHDavylLx43JSF+T5d0iHNmzFyglHVeni/zLbBI
GBP0UAtViLhGPTz/xkmI9RpNstzxOe/J5qNGapYEGVy/U/urUdMgD50xpPwXxAUv
jW5gNgordIAz/XO2xHSJw0t5F8VXiaXYv8V/SI3szZWq92rFRwwa8mfm9zvFXq+y
69f1OQCFChG7/uPRdew690erXIVeBX1vhJIihh2WaKNyZXRj8U9asv413W8ZgNAf………
-----END CERTIFICATE-----
EOT
id = "12345"
passphrase = (sensitive value)
private_key = (sensitive value)
site_id = "68207620"}
resource "incapsula_site" "example-site" {
dns_a_record_value = []
domain = "incapsulatest4.se.venafi.com"
id = "68207620"
ref_id = "12345"
site_creation_date = 1582675131000}
resource "venafi_certificate" "webserver" {
algorithm = "RSA"
certificate = <<~EOT
-----BEGIN CERTIFICATE-----
MIIF1zCCBL+gAwIBAgITbgAAAJKHRKbYCs7c4gAAAAAAkjANBgkqhkiG9w0BAQsF
ADBHMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJVmVuYWZp
bGFiMRUwEwYDVQQDEwxWZW5hZmlMYWItQ0EwHhcNMjAwMjI1MjM0ODUxWhcNMjEw
MjI0MjM0ODUxWjCBizELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQH
Ew5TYWx0IExha2UgQ2l0eTEVMBMGA1UEChMMVmVuYWZpLCBJbmMuMRgwFgYDVQQL
Ew9BdXRvbWF0aW9uIFRlYW0xJTAjBgNVBAMTHGluY2Fwc3VsYXRlc3Q0LnNlLnZl………
s8bW4YJzKP2a8T4=
-----END CERTIFICATE-----
EOT
certificate_dn = "\\VED\\Policy\\Demo\\APIs\\HashiCorp Terraform\\incapsulatest4.se.venafi.com"
chain = <<~EOT
-----BEGIN CERTIFICATE-----
MIIDaTCCAlGgAwIBAgIQFnSXFxdbiqdK59how61UdzANBgkqhkiG9w0BAQsFADBH
MRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJVmVuYWZpbGFi
MRUwEwYDVQQDEwxWZW5hZmlMYWItQ0EwHhcNMTkxMTE1MTYwNTUxWhcNMjkxMTE1………….
-----END CERTIFICATE-----
EOT
common_name = "incapsulatest4.se.venafi.com"
ecdsa_curve = "P521"
expiration_window = 168
id = "\\VED\\Policy\\Demo\\APIs\\HashiCorp Terraform\\incapsulatest4.se.venafi.com"
private_key_pem = <<Removed>
rsa_bits = 2048
san_dns = [
"san_example.se.venafi.com",
"anothersan_example.se.venafi.com",
]}
Outputs:
Incapsula_Domain = "incapsulatest4.se.venafi.com"
Incapsula_Site_ID = "68207620"
venafilab@DESKTOP-0F6RKJH:~/Terraform/Demo Env/Incapsula$
=========================================================
bold Here is my Terraform file:
provider "venafi" {
#alias = "tpp"
url = "https://tppdemo.se.venafi.com:443/vedsdk"
tpp_username = var.tppusername
tpp_password = var.tpppassword
zone = "Demo\\APIs\\HashiCorp Terraform"
trust_bundle = file("venafilab_trust_bundle.pem") }
resource "venafi_certificate" "webserver" {
common_name = "incapsulatest4.se.venafi.com"
algorithm = "RSA"
rsa_bits = "2048"
san_dns = [
"san_example.se.venafi.com",
"anothersan_example.se.venafi.com"
]
#key_password = "${var.pk_pass}"}
provider "incapsula" {
api_id = var.incapsula_api_id
api_key = var.incapsula_api_key
}
resource "incapsula_site" "example-site" {
domain = "incapsulatest4.se.venafi.com"
ref_id = "12345"
}
resource "incapsula_custom_certificate" "custom-certificate" {
site_id = incapsula_site.example-site.id
certificate = venafi_certificate.webserver.certificate
private_key = venafi_certificate.webserver.private_key_pem
passphrase = "Passw0rd123"
}
provider "aws" {
region = "us-east-1"
profile = "default"
}
resource "aws_route53_record" "incapsula_record" {
depends_on = [incapsula_site.example-site]
zone_id = "Z2OK9J9XX7JRH6"
name = "${var.Incapsula_DNS_Name}${var.Incapsula_Iteration}${var.My_Domain}"
type = "CNAME"
ttl = "60"
records = ["${incapsula_site.example-site.dns_cname_record_value}"]
}
output "Incapsula_Site_ID" {
value = incapsula_site.example-site.id}
output "Incapsula_Domain" {
value = incapsula_site.example-site.domain}
output "Incapsula_dns_a_record_name" {
value = incapsula_site.example-site.dns_a_record_name}
output "Incapsula_dns_cname_record_name" {
value = incapsula_site.example-site.dns_cname_record_name}
output "Incapsula_CNAME_Value" {
value = incapsula_site.example-site.dns_cname_record_value}
Any help would be greatly appreciated.
Regards,
Jeremy Meldrum
From: Joe Moore notifications@github.com Sent: Monday, January 13, 2020 6:13 PM To: imperva/terraform-provider-incapsula terraform-provider-incapsula@noreply.github.com Cc: Jeremy Meldrum jeremy.meldrum@venafi.com; Mention mention@noreply.github.com Subject: Re: [imperva/terraform-provider-incapsula] Unable to output the "dns_cname_record_value " when adding a site (#28)
@jmeldrum76 [github.com] https://urldefense.com/v3/__https:/github.com/jmeldrum76__;!!Ati4tGle!-cvkSQLJYtEvcoSVzsXlJUuTLiJrtzRuaYJlFkp4wllM7Lpm7XKXdRbWgfNeIazld4JW$ Below is the TF snippet that I use to accomplish the route53 record add.
resource "aws_route53_record" "superveda_record" { depends_on = ["incapsula_site.superveda"] name = "stage-superveda.${data.aws_route53_zone.zone.name}" type = "CNAME" zone_id = "${data.aws_route53_zone.zone.zone_id}" ttl = "60" records = ["${incapsula_site.superveda.dns_cname_record_value}"] }
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com] https://urldefense.com/v3/__https:/github.com/imperva/terraform-provider-incapsula/issues/28?email_source=notifications&email_token=AFB65JEEL2MKHVVYKM7NMGDQ5UGTNA5CNFSM4KFLOECKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEI24Z6A*issuecomment-573951224__;Iw!!Ati4tGle!-cvkSQLJYtEvcoSVzsXlJUuTLiJrtzRuaYJlFkp4wllM7Lpm7XKXdRbWgfNeIROnJISd$ , or unsubscribe [github.com] https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AFB65JD63N3W5WRRQL7QAWLQ5UGTNANCNFSM4KFLOECA__;!!Ati4tGle!-cvkSQLJYtEvcoSVzsXlJUuTLiJrtzRuaYJlFkp4wllM7Lpm7XKXdRbWgfNeIaRIE3Di$ . https://github.com/notifications/beacon/AFB65JCN75SM2JAJP6NIWIDQ5UGTNA5CNFSM4KFLOECKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEI24Z6A.gif
jmeldrum76
commented
4 years ago Hi,
I was wondering if there is anyone that could help me identify why this is not working. Is this a bug? I have about 140 sites that I need to create using Terraform (This week if possible). This bug is holding up the deployment.
Thanks in advance,
Jeremy Meldrum
joeymoore
commented
4 years ago Jeremy, It looks like this be a bug as I have been able to replicate on my side but can you please confirm that you are using the following site add resource: resource "incapsula_site" "example-site" { domain = "incapsulatest4.se.venafi.com" ref_id = "12345" }
jmeldrum76
commented
4 years ago Yes, you are correct. That is what my site add resources looks like.
Let me know if you need anything else.
Regards,
Jeremy Meldrum
From: Joe Moore notifications@github.com Sent: Monday, March 2, 2020 4:00 PM To: imperva/terraform-provider-incapsula terraform-provider-incapsula@noreply.github.com Cc: Jeremy Meldrum jeremy.meldrum@venafi.com; Mention mention@noreply.github.com Subject: Re: [imperva/terraform-provider-incapsula] Unable to output the "dns_cname_record_value " when adding a site (#28)
Jeremy, It looks like this be a bug as I have been able to replicate on my side but can you please confirm that you are using the following site add resource: resource "incapsula_site" "example-site" { domain = "incapsulatest4.se.venafi.com" ref_id = "12345" }
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com] https://urldefense.com/v3/__https:/github.com/imperva/terraform-provider-incapsula/issues/28?email_source=notifications&email_token=AFB65JHVC5DTQMCPN4UNPPTRFQ27ZA5CNFSM4KFLOECKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENRKMTI*issuecomment-593667661__;Iw!!Ati4tGle!9J-acVq44C__EMfx9htqJnA2Un-yLuxFOsYc0Zq6W3_HQaxPF1EGGoRE7XTv8oamni4e$ , or unsubscribe [github.com] https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AFB65JFI47KQWXQ4G42JGW3RFQ27ZANCNFSM4KFLOECA__;!!Ati4tGle!9J-acVq44C__EMfx9htqJnA2Un-yLuxFOsYc0Zq6W3_HQaxPF1EGGoRE7XTv8puSKL3n$ . https://github.com/notifications/beacon/AFB65JAGCH27Y2WVNIHYZ7TRFQ27ZA5CNFSM4KFLOECKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENRKMTI.gif
jmeldrum76
commented
4 years ago Hi Joe,
Is there anything we need to do to flag this as a bug? Also do you know what the ETA will be for this to be fixed? :-).
I could really use this feature. All of my other code is ready to go once I can get this last piece accomplished.
Thanks again,
Jeremy Meldrum
joeymoore
commented
4 years ago Hi Jeremy, I have forwarded this issue on to the PM and engineering internally; please give them till tomorrow to respond. Thousands of people use the API to create sites and I can't understand how this is any different but I'll update you when I hear back.
jmeldrum76
commented
4 years ago Is there something that I could change in my terraform plan to workaround the issue for now?
From: Joe Moore notifications@github.com Sent: Tuesday, March 3, 2020 11:36 AM To: imperva/terraform-provider-incapsula terraform-provider-incapsula@noreply.github.com Cc: Jeremy Meldrum jeremy.meldrum@venafi.com; Mention mention@noreply.github.com Subject: Re: [imperva/terraform-provider-incapsula] Unable to output the "dns_cname_record_value " when adding a site (#28)
Hi Jeremy, I have forwarded this issue on to the PM and engineering internally; please give them till tomorrow to respond. Thousands of people use the API to create sites and I can't understand how this is any different but I'll update you when I hear back.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com] https://urldefense.com/v3/__https:/github.com/imperva/terraform-provider-incapsula/issues/28?email_source=notifications&email_token=AFB65JHLKU24YCMOUFHSFUDRFVEYFA5CNFSM4KFLOECKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENUUJGQ*issuecomment-594101402__;Iw!!Ati4tGle!4lbr53pI1S22D4Ld7ilGJ8Xv5-Dz9wS2FLUOVJ-Pj62gShdS36NCvcff0hJtqs86Gviu$ , or unsubscribe [github.com] https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AFB65JFXSIEXE53R74H6YS3RFVEYFANCNFSM4KFLOECA__;!!Ati4tGle!4lbr53pI1S22D4Ld7ilGJ8Xv5-Dz9wS2FLUOVJ-Pj62gShdS36NCvcff0hJtqsI-hwpM$ . https://github.com/notifications/beacon/AFB65JAGDFMDREA6LZEPSNTRFVEYFA5CNFSM4KFLOECKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENUUJGQ.gif
joeymoore
commented
4 years ago Jeremy, I sent you an email to work through this with you, please let me know if you have time.
areifert
commented
4 years ago Was any progress made on this issue? I'm seeing similar behavior while trying to use this provider on a legacy Terraform project (using Terraform 0.11.13).
Using the following code:
provider "incapsula" {
api_id = "12345"
api_key = "mykey..."
}
resource "incapsula_site" "site" {
domain = "${var.domain_url}"
send_site_setup_emails = "false"
site_ip = "${var.site_ip}"
force_ssl = "true"
}
output "dns_cname_record_name" {
depends_on = ["incapsula_site.site"]
value = "${incapsula_site.site.dns_cname_record_name}"
}gives me the following error when running terraform apply:
Error: Error running plan: 1 error(s) occurred:
* module.imperva_site.output.dns_cname_record_name: Resource 'incapsula_site.site' does not have attribute 'dns_cname_record_name' for variable 'incapsula_site.site.dns_cname_record_name'This seems like it could be an underlying issue with Imperva itself. After creating a site using Terraform and then querying for it using Imperva's REST API (using the Get site report endpoint), I'm not getting anything back in the dns field:
{
"site_id": xxxxxxx,
"statusEnum": "pending_ssl_approval",
"status": "pending-certificate",
"domain": "dummy.example.com",
"account_id": xxxxxxx,
"acceleration_level": "advanced",
"site_creation_date": xxxxxxxxx,
"ips": [
"elb-dummy.us-east-1.elb.amazonaws.com"
],
"dns": [],
"original_dns": [
{
"dns_record_name": "example.com",
"set_type_to": "A",
"set_data_to": [
""
]
},
{
"dns_record_name": "dummy.example.com",
"set_type_to": "CNAME",
"set_data_to": [
"elb-dummy.us-east-1.elb.amazonaws.com"
]
}
],
...
}Another wrinkle: this output appears to be missing only if force_ssl is set to true. Setting it to false causes these outputs to populate correctly.
areifert
commented
4 years ago Did more digging today, this issue appears to be a result of how Imperva creates new sites. When creating a new site with SSL enabled (by setting force_ssl = "true" in your incapsula_site resource), Imperva goes through its default site creation workflow (documented here). This causes the site to be created in pending-certificate status, which means Imperva has created a default SSL certificate for this site and requires action from the user to validate it.
In my case, I'm providing a custom certificate, so I don't care about the one Imperva provides. To get around this, you can either
https://my.imperva.com/api/prov/v1/sites/configure?api_id=<your api id>&api_key=<your api key>&site_id=<your site id>¶m=remove_ssl&value=trueAfter that, the site's status should be in pending-dns-changes. Performing a terraform refresh will then populate the expected DNS-related attributes.
For this issue, I'd propose that if the user provides a custom certificate for an Imperva site and the site is still in pending-certificate status, the Incapsula provider should POST to the /api/prov/v1/sites/configure endpoint to remove the default Imperva-generated SSL certificate.
anandkunal
commented
4 years ago This was resolved by @joeymoore back in April. @areifert - you should be able to see the fix in this repository. Let us know if you need more help.
jmeldrum76
commented
4 years ago Hi,
I am wondering if there was ever a fix for this? What @anandkunal stated is correct. I would really like to use the native Terraform Incapsula provider. Currently I am going to need to write a bash script to use the api through the Terraform null_resource to remove the cancel the default ssl certificate and get the Incapsula_CNAME_Value. This is going to be a pain.
Note: Do I need to open a new issue for this since this one is closed but not fixed?
Here are a refresh of the steps to take for each site creation to workaround the issue:
Any help would be greatly appreciated.
Jeremy Meldrum
Hi,
I am unable to output the "dns_cname_record_value" when adding a site. This is very important so that I can change the DNS Name record (Route53) in amazon through terraform automatically.